Normally you can't have multiple route to the same IP that are the same distance out different interfaces. The FortiGate won't let you.
In order to do this you need to enable overlapping subnets.
As long the same IP does not exist behind both interfaces at the same time you won't have a problem. If you do, then your going to have an issue since the MAC address table will show whichever host last sent a packet.
config system setting
set allow-subnet-overap enable
You only need to have a gateway IP in your route if the IP address/range you're trying to connect to is outside the range of the interface itself.
You diagram doesn't include Port IP addresses of the FortiGate, but i would assume that Wan1 has an IP in the 192.168.1.0/24 subnet. Not sure what IP port 2 has right now, but it's not ia 192.168.1 IP obviously.
Once you enable the subnet overlapping you could assign a 192.168.1.0/24 IP to port2 or setup port2 with a secondary ip in the 192.168.1.0/24 range. Once you associate a 192.168.1.0/24 IP to port2 (through either method) you probably won't need to add a route. (not 100% certain about that ... say 80%)
Pretty sure that you can do a secondary IP from the GUI in any firmware version.
I wonder why nobody mentioned that routing only occurs between different networks, per definition. And the FGT is in Routing/NAT mode.
There have already 2 solutions been proposed:
- use a small switch in front of the FGT, feeding the FGT WAN port and the device needing the public IP address
- create a transparent VDOM
If you want the traffic to be protected you will have to use the VDOM approach. This isn't really difficult and done in 10 minutes. At least less time than this thread is already going on...just my 2 ct.
I do not really get the issue.. creating overlapping subnets sounds like a pain in the eh...
Most of the time i am asked for a similar solution, you can either convince the people that a natted address is fine, as they need a device being reachable by the offical IP, but do need to have the offical IP configured at the device.
Therefore instead of 192.168.1.3 you give a 172.16.1.1 and map this IP to the offical/public IP.
If they insist on a public ip configured at device level you simply can't have the (nat) firewall in between -> a internet Switch (or a VLAN on a existing switch) depending on your needs/security policys (e.g. Internet traffic may not reside on the same switch even if vlan sepearted) should do.
I guess some have longer experiences but i doubt that anyone knows the perfect solution for everything.
Often i encounter setups where someone "has heard something" and not propagates this without any knowledge:
e.g. a Citrix Admin has problems with his servers and he found a KB Article about spanning tree problems with citrix servers. The server Admins soultion: have STP disable for the citrix network, not realising that this is a "very brave" decision..
In the KB Article it was about port-fast as stp may take to long for DHCP request to go into forwarding.
Result: loops in the ctrix networks as stp was disabled. Enabling STP and everything was fine (Portfast by default, the citirx problem was never related to any stp.. but hey thats the way it rolls pointing to others if any errors occur).
therefore: Ask yourself/your customer whether he really wants such a strange solution. And keep in Mind: while fortinet does not do routing of same IP Networks through another interface Cisco ASA do not do this as well - as this is just a [strike]stupid[/strike] unusual Idea.
Just to clarify: there simply is no routing between the same networks. Full stop.This is just the way the IP protocol is designed.
And no, the FGT can route quite well without NAT. Just an example: it does so all the time when traffic crosses between local ports. That's what the automatic static routes ('connected') are for. There is no NAT involved in this.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.